Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-8064

[Broker-J] FileKeyStore should validate java keystore content to make sure that private key is present

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: qpid-java-6.0.8, qpid-java-broker-7.0.0, qpid-java-6.1.5
    • Fix Version/s: qpid-java-broker-7.1.0
    • Component/s: Broker-J
    • Labels:
      None

      Description

      Currently Broker-J does not issue any error or warning when private key is missed in java keystore (i.e., truststore is provided instead of keystore). We should add a validation for the private key and deny keystore creation (or recovery) if private key is not present.

      When keystore without private key is configured, an attempt to make TLS fails, but the root cause of the failure is difficult to debug. Even when java debug logging is enabled (-Djavax.net.debug=all) the logs for the handshake failure are confusing: "fatal error: 40: no cipher suites in common", for example

      HttpManagement-HTTP-392, READ: TLSv1 Handshake, length = 224
      *** ClientHello, TLSv1.2
      RandomCookie:  GMT: -1512757423 bytes = { 141, 10, 192, 6, 218, 230, 103, 203, 46, 231, 80, 160, 40, 21, 47, 125, 0, 149, 138, 74, 65, 251, 5, 165, 194, 45, 196, 236 }
      Session ID:  {}
      Cipher Suites: [Unknown 0xaa:0xaa, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
      Compression Methods:  { 0 }
      Unsupported extension type_10794, data:
      Extension renegotiation_info, renegotiated_connection: <empty>
      Extension server_name, server_name: [type=host_name (0), value=abcd24p9390.abc.ef.g1234567.net]
      Unsupported extension type_23, data:
      Unsupported extension type_35, data:
      Extension signature_algorithms, signature_algorithms: SHA256withECDSA, Unknown (hash:0x8, signature:0x4), SHA256withRSA, SHA384withECDSA, Unknown (hash:0x8, signature:0x5), SHA384withRSA, Unknown (hash:0x8, signature:0x6), SHA512withRSA, SHA1withRSA
      Unsupported extension status_request, data: 01:00:00:00:00
      Unsupported extension type_18, data:
      Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
      Unsupported extension type_30032, data:
      Extension ec_point_formats, formats: [uncompressed]
      Extension elliptic_curves, curve names: {unknown curve 56026, unknown curve 29, secp256r1, secp384r1}
      Unsupported extension type_23130, data: 00
      ***
      [read] MD5 and SHA1 hashes:  len = 224
      0000: 01 00 00 DC 03 03 A6 D5   27 51 8D 0A C0 06 DA E6  ........'Q......
      0010: 67 CB 2E E7 50 A0 28 15   2F 7D 00 95 8A 4A 41 FB  g...P.(./....JA.
      0020: 05 A5 C2 2D C4 EC 00 00   26 AA AA C0 2B C0 2F 00  ...-....&...+./.
      0030: 9E C0 2C C0 30 CC A9 CC   A8 CC 14 CC 13 C0 13 00  ..,.0...........
      0040: 33 C0 14 00 39 00 9C 00   9D 00 2F 00 35 00 0A 01  3...9...../.5...
      0050: 00 00 8D 2A 2A 00 00 FF   01 00 01 00 00 00 00 24  ...**..........$
      0060: 00 22 00 00 1F 76 73 69   6E 32 34 70 39 33 39 30  ."...abcd24p9390
      0070: 2E 73 76 72 2E 75 73 2E   6A 70 6D 63 68 61 73 65  .abc.ef.g1234567
      0080: 2E 6E 65 74 00 17 00 00   00 23 00 00 00 0D 00 14  .net.....#......
      0090: 00 12 04 03 08 04 04 01   05 03 08 05 05 01 08 06  ................
      00A0: 06 01 02 01 00 05 00 05   01 00 00 00 00 00 12 00  ................
      00B0: 00 00 10 00 0E 00 0C 02   68 32 08 68 74 74 70 2F  ........h2.http/
      00C0: 31 2E 31 75 50 00 00 00   0B 00 02 01 00 00 0A 00  1.1uP...........
      00D0: 0A 00 08 DA DA 00 1D 00   17 00 18 5A 5A 00 01 00  ...........ZZ...
      %% Initialized:  [Session-37, SSL_NULL_WITH_NULL_NULL]
      HttpManagement-HTTP-392, fatal error: 40: no cipher suites in common
      javax.net.ssl.SSLHandshakeException: no cipher suites in common
      %% Invalidated:  [Session-37, SSL_NULL_WITH_NULL_NULL]
      HttpManagement-HTTP-392, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
      HttpManagement-HTTP-392, WRITE: TLSv1.2 Alert, length = 2
      HttpManagement-HTTP-392, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
      

      The broker should not allow keystore creation without private key or at least one certificate.

        Attachments

          Activity

            People

            • Assignee:
              k-wall Keith Wall
              Reporter:
              orudyy Alex Rudyy
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: